Termination of any employee is a difficult process, but terminating a system administrator can add several layers of complexity.

SDGblue can help your organization be ready for these trying, tense, and often time-sensitive situations. A system administrator has an intimate knowledge of your companys data and systems. To guide you in severing the ties between your organization and your system administrator, SDGblue has provided a checklist of items that you should consider during your termination process. This list should be viewed as complementary to your internal employee termination process and unique to the system administrator position. The Onsite Checklist below is only a guide, is not comprehensive, and in no way claims to be the full system administrator termination checklist for your organization. Also, many of the individual items in the checklist can be completed internally but the complexity and potential for unexpected challenges justifies a hands-on approach. SDGblue strongly advises your organization to have an onsite technical presence. Should you need more in-depth advice, please call us at 859.263.7344 so that we may help you develop a complete employee termination process.

Onsite Checklist
1.

2. 3. 4.

5. 6. 7.

Perform full system backups of critical systems. This may require additional resources, and an internal resource should validate the critical servers. An image backup of the servers to a portable hard drive device would give you the ability to make full backups very quickly and allow for storage of the images offsite. Disable the Active Directory User account(s). Disable/change passwords for any other identified user accounts or authentication methods, i.e. vendors, contractors, partners. Disable any other remote access identified in infrastructure audit. Some examples are below: a. VPN access into network b. VPN access to any of the firewalls (main or branches) c. RDP into servers d. VNC into servers or workstations (check firewalls to see if this exists). e. Dial-in access to any systems f. Call home software, i.e. Gotomypc, which could be loaded on any server or workstation g. Any KVM devices with IP capabilities h. Any SSIDs on wireless that do not depend on Active Directory Authentication i. Any iLO or DRAC or similar hardware management ports or boards in any servers j. Any UPS network management cards k. Any environmental monitor devices with IP access l. Outlook web access m. Cellular phones with access to synchronize email n. Managed VPN network Re-route email, phone, Track IT and any other identified communication to the identified staff. Change physical access methods at the main location and branches, i.e. key code access on the doors, key locks changed, access cards revoked, alarm codes changed. Notify staff of the termination.

8.

9. 10. 11. 12. 13. 14. 15.

Notify all third parties identified in DR/BCP documentation of staff change, and provide contact information for the new contact. An example list is below: a. DNS hosting b. MX records for the email server c. ISP d. Managed VPN e. Telephone systems vendor or vendors f. Website hosting g. SSL Certificate Providers h. All software vendors/volume licensing vendors i. Alarm company Change administrative access. Audit System Administrator workstation for beaconing or call home software such as GotoMyPC. Audit Active Directory for all administrative level access. Change passwords for all user objects with administrative access. (Optional) Audit network devices for beaconing, or call home software. (Optional) Audit network for rogue Access Points and unauthorized wireless access. Audit network edge devices to identify any remote access allowed into or through devices directly attached to the internet or indirectly attached through firewall rules. Audit wireless networks for SSIDs that do not require Active Directory authentication.

Questions you need to ask:

1. 2. 3. 4. 5. 6. 7. 8. 9.

Do you need to secure the workstation from a forensic standpoint? Is your organization interested in substantiating or investigating any activities that may have been performed on or from the system administrators workstation? Who will be given administrative privileges or will this be shared with additional staff? If to be shared, you need to identify those staff members and their levels of access to IT systems. Where should phone calls and emails directed to the System Administrator be routed immediately after termination? Where should Track IT ticket information requests and problem reports directed to the System Administrator by routed immediately after termination? Do you have a password list for all IT systems, vendors and devices? Is the network equipment physically secured? Who will be the technical contact and System Administrator in the interim or has a replacement already been identified? Have you also followed any internal employee termination processes? Have you performed an audit of major purchases over the last 12 months?

Should you have any questions about this list or need additional resources, please contact SDGblue at 859.263.7344.